Linux Hardening Script: Enhancing System Security With Automated Practices

2025-02-04

Linux Hardening Script: Enhancing System Security with Automated Practices

The `linux_hardening.sh` script is an automated tool designed to improve the security of a Linux system. It follows best practices for hardening, including disabling unnecessary services, configuring security permissions, auditing the system, and applying security policies. Below is an example of how such a script might look, along with verified commands and practices.

#!/bin/bash

<h1>Disable unnecessary services</h1>

sudo systemctl disable telnet
sudo systemctl disable ftp
sudo systemctl disable rpcbind

<h1>Configure security permissions</h1>

sudo chmod 700 /root
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd

<h1>Audit the system</h1>

sudo apt-get install auditd
sudo auditctl -e 1

<h1>Apply security policies</h1>

sudo apt-get install ufw
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

<h1>Enable automatic security updates</h1>

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

<h1>Harden SSH configuration</h1>

sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

<h1>Enable SELinux or AppArmor</h1>

sudo apt-get install apparmor apparmor-utils
sudo systemctl enable apparmor
sudo systemctl start apparmor

<h1>Clean up</h1>

sudo apt-get autoremove
sudo apt-get autoclean

What Undercode Say

Linux system hardening is a critical step in securing your infrastructure. The `linux_hardening.sh` script provided above automates many of the essential tasks required to secure a Linux system. Here are some additional commands and practices that can further enhance your system’s security:

File Integrity Checking: Use tools like `AIDE` or `Tripwire` to monitor file integrity.
```
sudo apt-get install aide
sudo aideinit
```

Kernel Hardening: Enable kernel hardening parameters in /etc/sysctl.conf.

echo "kernel.randomize_va_space = 2" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Log Monitoring: Use `logwatch` or `syslog-ng` for comprehensive log monitoring.

sudo apt-get install logwatch
sudo logwatch --detail high --mailto [email protected] --range today

Network Security: Use `nmap` to scan for open ports and `iptables` for advanced firewall rules.
```
sudo apt-get install nmap
sudo nmap -sT -O localhost
```

User Account Security: Regularly audit user accounts and permissions.

sudo awk -F: '($3 == 0) {print}' /etc/passwd
sudo passwd -l username

SELinux Configuration: If using SELinux, ensure it is in enforcing mode.
```
sudo setenforce 1
sudo getenforce
```
Regular Updates: Ensure your system is regularly updated.
```
sudo apt-get update
sudo apt-get upgrade
```
Backup and Recovery: Implement regular backup strategies using `rsync` or Bacula.
```
sudo apt-get install rsync
rsync -av /home /backup/
```

Disable USB Storage: Prevent unauthorized USB storage access.

echo "install usb-storage /bin/true" | sudo tee /etc/modprobe.d/disable-usb-storage.conf

Secure Boot: Ensure Secure Boot is enabled in your BIOS/UEFI settings.

By following these practices and using the provided script, you can significantly enhance the security of your Linux systems. Remember, security is an ongoing process, and regular audits and updates are essential to maintaining a secure environment.

For further reading and resources, consider the following URLs:
– Linux Hardening Guide
– SELinux Documentation
– AppArmor Documentation